6. Use the WLST startServer command to start the Administration Server.
6.3 Managing Security Data (WLST Online)
In the WebLogic Security Service, an Authentication provider is the software component that proves the identity of users or system processes. An Authentication provider also remembers, transports, and makes that identity information available to various components of a system when needed.
A security realm can use different types of Authentication providers to manage different sets of users and groups. (See "Authentication Providers" in Developing
Security Providers for Oracle WebLogic Server. You can use WLST to invoke operations on
Note: Oracle recommends that you do not use WLST offline to manage the configuration of an active WebLogic domain. Offline edits are ignored by running servers and can be overwritten by JMX clients such as WLST online or the WebLogic Server Administration Console.
Table 6–2 Steps for Updating an Existing WebLogic Domain (Offline)
To... Use this command... For more information, see ...
Open an existing WebLogic domain for update
readDomain(domainDirName) "readDomain" in WebLogic Scripting Tool Command Reference
Extend the current WebLogic domain (optional)
addTemplate(templateFileName) "addTemplate" in WebLogic Scripting Tool Command Reference
Modify the WebLogic domain (optional)
Browsing and editing commands Section 3.1.1, "Browsing Information About the Configuration Hierarchy (Offline)"
Section 3.1.2, "Editing a WebLogic Domain (Offline)". Save the WebLogic
domain
updateDomain() "updateDomain" in WebLogic Scripting Tool Command Reference
Close the WebLogic domain
closeDomain() "closeDomain" in WebLogic Scripting Tool Command Reference
■ The default WebLogic Server Authentication provider, AuthenticatorMBean. By default, all security realms use this Authentication provider to manage users and groups.
■ Custom Authentication providers that extend
weblogic.security.spi.AuthenticationProvider and extend the optional Authentication SSPI MBeans. See "SSPI MBean Quick Reference" in
Developing Security Providers for Oracle WebLogic Server
The following sections describe basic tasks for managing users and groups using WLST:
■ Section 6.3.1, "Determining If You Need to Access the Edit Hierarchy" ■ Section 6.3.2, "Creating a User"
■ Section 6.3.3, "Adding a User to a Group"
■ Section 6.3.4, "Verifying Whether a User Is a Member of a Group" ■ Section 6.3.5, "Listing Groups to Which a User Belongs"
■ Section 6.3.6, "Listing Users and Groups in a Security Realm" ■ Section 6.3.7, "Changing a Password"
■ Section 6.3.8, "Protecting User Accounts in a Security Realm"
■ Section 6.3.9, "Configuring Additional LDAP Authentication Providers"
For information about additional tasks that the AuthenticationProvider MBeans support, see "AuthenticationProviderMBean" in the Oracle WebLogic Server MBean
Reference.
6.3.1 Determining If You Need to Access the Edit Hierarchy
If you are using WLST to change the configuration of a security MBean, you must access the edit hierarchy and start an edit session. For example, if you change the value of the LockoutThreshold attribute in UserLockoutManagerMBean, you must be in the edit hierarchy.
If you invoke security provider operations to add, modify, or remove data in a security provider data store, WLST does not allow you to be in the edit hierarchy. Instead, invoke these commands from the serverConfig or domainConfig hierarchy. For example, you cannot invoke the createUser operation in an AuthenticatorMBean
MBean from the edit hierarchy. WLST enforces this restriction to prevent the possibility of incompatible changes. For example, an edit session could contain an unactivated change that removes a security feature and will invalidate modifications to the provider's data.
6.3.2 Creating a User
To create a user, invoke the UserEditorMBean.createUser method, which is extended by the security realm's AuthenticationProvider MBean. For more information, see the "createUser" method of the UserEditorMBean in the Oracle
WebLogic Server MBean Reference.
The method requires three input parameters. The password must be at least eight characters, with one special character or numeric character.
Managing Security Data (WLST Online)
WLST cannot invoke this command from the edit hierarchy, but it can invoke the command from the serverConfig or domainConfig hierarchy.
The following WLST online script invokes createUser on the default authentication provider.
Example 6–6 Creating a User
from weblogic.management.security.authentication import UserEditorMBean print "Creating a user ..."
atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthentication Provider("DefaultAuthenticator")
atnr.createUser('new_user','welcome1','new_admin') print "Created user successfully"
6.3.3 Adding a User to a Group
To add a user to a group, invoke the GroupEditorMBean.addMemberToGroup
method, which is extended by the security realm's AuthenticationProvider
MBean. For more information, see the "addMemberToGroup" method in the Oracle
WebLogic Server MBean Reference.
The method requires two input parameters:
groupname username
WLST cannot invoke this command from the edit hierarchy, but it can invoke the command from the serverConfig or domainConfig hierarchy.
The following WLST online script invokes addMemberToGroup on the default Authentication Provider. For information on how to run this script, see Section 2.4.1, "Invoking WLST".
Example 6–7 Adding a User to a Group
from weblogic.management.security.authentication import GroupEditorMBean print "Adding a user ..."
atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider ("DefaultAuthenticator")
atnr.addMemberToGroup('Administrators','my_user') print "Done adding a user"
6.3.4 Verifying Whether a User Is a Member of a Group
To verify whether a user is a member of a group, invoke the
GroupEditorMBean.isMember method, which is extended by the security realm's
AuthenticationProvider MBean. For more information, see the "isMember" method in the Oracle WebLogic Server MBean Reference.
The method requires three input parameters:
groupname username boolean
where boolean specifies whether the command searches within child groups. If you specify true, the command returns true if the member belongs to the group that you specify or to any of the groups contained within that group.
WLST cannot invoke this command from the edit hierarchy, but it can invoke the command from the serverConfig or domainConfig hierarchy.
The following WLST online script invokes isMember on the default Authentication Provider. For information on how to run this script, see Section 2.4.1, "Invoking WLST".
Example 6–8 Verifying Whether a User is a Member of a Group
from weblogic.management.security.authentication import GroupEditorMBean user = "my_user"
print "Checking if "+user+ " is a Member of a group ... "
atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider ("DefaultAuthenticator")
if atnr.isMember('Administrators',user,true) == 0: print user+ " is not member of Administrators" else:
print user+ " is a member of Administrators"
6.3.5 Listing Groups to Which a User Belongs
To see a list of groups that contain a user or a group, invoke the
MemberGroupListerMBean.listMemberGroups method, which is extended by the security realm's AuthenticationProvider MBean. For more information, see the "listMemberGroups" method of the MemberGroupListerMBean in the WebLogic
Server MBean Reference.
The method requires one input parameter:
memberUserOrGroupName
where memberUserOrGroupName specifies the name of an existing user or a group. WLST cannot invoke this command from the edit hierarchy, but it can invoke the command from the serverConfig or domainConfig hierarchy.
The following WLST online script invokes listMemberGroups on the default Authentication provider. For information on how to run this script, see Section 2.4.1, "Invoking WLST".
Example 6–9 Listing Groups to Which a User Belongs
from weblogic.management.security.authentication import MemberGroupListerMBean print "Listing the member groups ..."
atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider ("DefaultAuthenticator")
x = atnr.listMemberGroups('my_user') print x
The method returns a cursor value (for example, Cursor_16), which refers to a list of names. The NameLister.haveCurrent, getCurrentName, and advance
operations iterate through the returned list and retrieve the name to which the current cursor position refers. See "NameListerMBean" in the Oracle WebLogic Server MBean
Reference.
6.3.6 Listing Users and Groups in a Security Realm
To see a list of user or group names, you invoke a series of methods, all of which are available through the AuthenticationProvider interface:
■ The GroupReaderMBean.listGroups and UserReaderMBean.listUsers
methods take two input parameters: a pattern of user or group names to search for, and the maximum number of names that you want to retrieve.
Managing Security Data (WLST Online)
Because a security realm can contain thousands (or more) of user and group names that match the pattern, the methods return a cursor, which refers to a list of names.
For more information, see the "listGroups" operation in the GroupReaderMBean and the "listUsers" operation in the UserReaderMBean in the Oracle WebLogic
Server MBean Reference.
■ The NameLister.haveCurrent, getCurrentName, and advance operations iterate through the returned list and retrieve the name to which the current cursor position refers. For more information, see "NameListerMBean" in the Oracle
WebLogic Server MBean Reference.
■ The NameLister.close operation releases any server-side resources that are held on behalf of the list.
WLST cannot invoke these commands from the edit hierarchy, but it can invoke them from the serverConfig or domainConfig hierarchy.
The WLST online script in Example 6–10 lists all the users in a realm and the groups to which they belong. For information on how to run this script, see Section 2.4.1,
"Invoking WLST".
Example 6–10 Listing Users and Groups
from weblogic.management.security.authentication import UserReaderMBean from weblogic.management.security.authentication import GroupReaderMBean realm=cmo.getSecurityConfiguration().getDefaultRealm() atns = realm.getAuthenticationProviders() for i in atns: if isinstance(i,UserReaderMBean): userReader = i cursor = i.listUsers("*",0)
print 'Users in realm '+realm.getName()+' are: ' while userReader.haveCurrent(cursor): print userReader.getCurrentName(cursor) userReader.advance(cursor) userReader.close(cursor) for i in atns: if isinstance(i,GroupReaderMBean): groupReader = i cursor = i.listGroups("*",0) print 'Groups in realm are: '
while groupReader.haveCurrent(cursor): print groupReader.getCurrentName(cursor) groupReader.advance(cursor)
groupReader.close(cursor)
6.3.7 Changing a Password
To change a user's password, invoke the
UserPasswordEditorMBean.changeUserPassword method, which is extended by the security realm's AuthenticationProvider MBean. For more information, see the "changeUserPassword" method in the Oracle WebLogic Server MBean Reference. WLST cannot invoke this command from the edit hierarchy, but it can invoke the command from the serverConfig or domainConfig hierarchy.
The following WLST online script invokes changeUserPassword on the default Authentication Provider: For information on how to run this script, see Section 2.4.1, "Invoking WLST".
Example 6–11 Changing a Password
from weblogic.management.security.authentication import UserPasswordEditorMBean print "Changing password ..."
atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider ("DefaultAuthenticator")
atnr.changeUserPassword('my_user','my_password','new_password') print "Changed password successfully"
6.3.8 Protecting User Accounts in a Security Realm
The UserLockoutManagerMBean provides a set of attributes to protect user accounts from intruders. By default, these attributes are set for maximum protection. You can decrease the level of protection for user accounts. For example, you can set whether or not lockout is enabled, increase the time period in which invalid login attempts are made before locking the user account, or change the amount of time a user account is locked.
The UserLockoutManagerRuntimeMBean provides a set of attributes for collecting lockout statistics, and operations for managing user lockouts. For example, you can get the number of users currently locked out, get the number of invalid login attempts since the server was started, or clear the lockout on a user account.
For more information about lockout configuration, see the
"UserLockoutManagerMBean" interface in the Oracle WebLogic Server MBean Reference. For information about collecting lockout statistics and performing lockout operations, see the "UserLockoutManagerRuntimeMBean" interface in the Oracle WebLogic Server
MBean Reference
The following tasks provide examples for invoking
UserLockoutManagerRuntimeMBean methods:
■ Section 6.3.8.1, "Set Consecutive Invalid Login Attempts" ■ Section 6.3.8.2, "Unlock a User Account"
Note that because these tasks edit MBean attributes, WLST must connect to the Administration Server, navigate to the edit hierarchy, and start an edit session.
6.3.8.1 Set Consecutive Invalid Login Attempts
The following WLST online script sets the number of consecutive invalid login
attempts before a user account is locked out. For information on how to run this script, see Section 2.4.1, "Invoking WLST".
Example 6–12 Setting Consecutive Invalid Login Attempts
from weblogic.management.security.authentication import UserLockoutManagerMBean edit()
startEdit()
#You have two choices for getting a user lockout manager to configure # 1 - to configure the default realm's UserLockoutManager:
Managing Security Data (WLST Online)
# 2 - to configure another realm's UserLockoutManager:
#ulm=cmo.getSecurityConfiguration().lookupRealm("anotherRealm").getUserLockoutMana ger()
ulm.setLockoutThreshold(3) save()
activate()
6.3.8.2 Unlock a User Account
The following WLST online script unlocks a user account. For information on how to run this script, see Section 2.4.1, "Invoking WLST".
Example 6–13 Unlocking a User Account
from weblogic.management.runtime import UserLockoutManagerRuntimeMBean serverRuntime()
ulm=cmo.getServerSecurityRuntime().getDefaultRealmRuntime().getUserLockoutManagerR untime()
#note1 : You can only manage user lockouts for the default realm starting from #when the server was booted (versus other non-active realms).
#note2 : If the default realm's user lockout manager's LockoutEnabled attribute #is false, then the user lockout manager's runtime MBean will be null.
#That is, you can only manage user lockouts in the default realm if its user #lockout manager is enabled.
if ulm != None:
ulm.clearLockout("myuser")
6.3.9 Configuring Additional LDAP Authentication Providers
In some cases, such as when installing some Oracle Fusion Middleware products, you must add an additional external LDAP authentication provider to the WebLogic Server security providers. This can be done either by using the WebLogic Server
Administration Console (see "Configure Authentication and Identity Assertion Providers") or by using WLST.
Example 6–14 shows how to use WLST to add an Oracle Internet Directory (OID) authentication provider. To add other types of LDAP authentication providers, substitute the appropriate class type in the createAuthenticationProvider
command, as shown in Table 6–3.
Example 6–14 Adding an Authentication Provider
connect (’adminUser’,’adminPassword’,'t3://'+adminServerHost+':'+adminServerPort) edit()
startEdit()
cd('/SecurityConfiguration/'+domainName+'/Realms/myrealm') # In the following command, substitute the appropriate class type cmo.createAuthenticationProvider(LDAPProviderName,
Note: For important information about switching LDAP authentication providers if the corresponding LDAP server will contain the user or users who start the domain, see "Requirements for Using an LDAP Authentication Provider" in Securing Oracle WebLogic
/'+LDAPProviderName)
cmo.setControlFlag('SUFFICIENT')
cd('/SecurityConfiguration/'+domainName+'/Realms/myrealm/ AuthenticationProviders/'+LDAPProviderName) cmo.setHost(LDAPHost) cmo.setPort(LDAPPort) cmo.setPrincipal(LDAPAdmin) set("Credential",LDAPAdminPassword) cmo.setGroupBaseDN(LDAPGroupBase) cmo.setUserBaseDN(LDAPUserBase) cmo.setUserNameAttribute(usernameattribute) cmo.setUserObjectClass('inetOrgPerson')
cd('/SecurityConfiguration/'+domainName+'/Realms/myrealm/AuthenticationProviders /DefaultAuthenticator')
cmo.setControlFlag('SUFFICIENT')
cd('/SecurityConfiguration/'+domainName+'/Realms/myrealm')
set('AuthenticationProviders',jarray.array([ObjectName('Security:Name=myrealm' +LDAPProviderName), ObjectName('Security:Name=myrealmDefaultAuthenticator'), ObjectName('Security:Name=myrealmDefaultIdentityAsserter')], ObjectName)) activate()